Knot Resolver 1.5.0 (2017-11-02)

Bugfixes

Improvements

attempt validation for more records but require it for fewer of them
(e.g. avoids SERVFAIL when server adds extra records but omits RRSIGs)

Knot Resolver 1.4.0 (2017-09-22)

Incompatible changes

lua: query flag-sets are no longer represented as plain integers.
kres.query.* no longer works, and kr_query_t lost trivial methods
'hasflag' and 'resolved'.
You can instead write code like qry.flags.NO_0X20 = true.

Bugfixes

fix exiting one of multiple forks (#150)

cache: change the way of using LMDB transactions. That in particular
fixes some cases of using too much space with multiple kresd forks (#240).

Improvements

policy.suffix: update the aho-corasick code (#200)

root hints are now loaded from a zonefile; exposed as hints.root_file().
You can override the path by defining ROOTHINTS during compilation.

Knot Resolver 1.3.1 (2017-06-23)

Bugfixes

Knot Resolver 1.3.0 (2017-06-13)

Security

Refactor handling of AD flag and security status of resource records.
In some cases it was possible for secure domains to get cached as
insecure, even for a TLD, leading to disabled validation.
It also fixes answering with non-authoritative data about nameservers.

Improvements

major feature: support for forwarding with validation (#112).
The old policy.FORWARD action now does that; the previous non-validating
mode is still avaliable as policy.STUB except that also uses caching (#122).

command line: specify ports via @ but still support # for compatibility

policy: recognize 100.64.0.0/10 as local addresses

layer/iterate: do retry repeatedly if REFUSED, as we can't yet easily
retry with other NSs while avoiding retrying with those who REFUSED

modules: allow changing the directory where modules are found,
and do not search the default library path anymore.

Bugfixes

validate: fix insufficient caching for some cases (relatively rare)

avoid putting "duplicate" record-sets into the answer (#198)

Knot Resolver 1.2.6 (2017-04-24)

Security

dnssec: don't set AD flag for NODATA answers if wildcard non-existence
is not guaranteed due to opt-out in NSEC3

Improvements

layer/iterate: don't retry repeatedly if REFUSED

Bugfixes

lib/nsrep: revert some changes to NS reputation tracking that caused
severe problems to some users of 1.2.5 (#178 and #179)

dnssec: fix verification of wildcarded non-singleton RRsets

dnssec: allow wildcards located directly under the root

layer/rrcache: avoid putting answer records into queries in some cases

layer/iterate: when processing delegations, check if qname is at or
below new authority

Knot Resolver 1.2.3 (2017-02-23)

Bugfixes

Disable storing GLUE records into the cache even in the
(non-default) QUERY_PERMISSIVE mode

iterate: skip answer RRs that don't match the query

layer/iterate: some additional processing for referrals

lib/resolve: zonecut fetching error was fixed

Knot Resolver 1.2.2 (2017-02-10)

Bugfixes:

Fix -k argument processing to avoid out-of-bounds memory accesses

lib/resolve: fix zonecut fetching for explicit DS queries

hints: more NULL checks

Fix TA bootstrapping for multiple TAs in the IANA XML file

Testing:

Update tests to run tests with and without QNAME minimization

Knot Resolver 1.2.1 (2017-02-01)

Security:

Under certain conditions, a cached negative answer from a CD query
would be reused to construct response for non-CD queries, resulting
in Insecure status instead of Bogus. Only 1.2.0 release was affected.

Documentation

Update the typo in the documentation: The query trace policy is
named policy.QTRACE (and not policy.TRACE)

Bugfixes:

lua: make the map command check its arguments

Knot Resolver 1.2.0 (2017-01-24)

Security:

In a policy.FORWARD() mode, the AD flag was being always set by mistake.
It is now cleared, as the policy.FORWARD() doesn't do DNSSEC validation yet.

Improvements:

The DNSSEC Validation has been refactored, fixing many resolving
failures.

Add module version that checks for updates and CVEs periodically.

Support RFC7830: EDNS(0) padding in responses over TLS.

Support CD flag on incoming requests.

hints module: previously /etc/hosts was loaded by default, but not anymore.
Users can now actually avoid loading any file.